In a previous series that I wrote on building a micro service from the ground up with Quarkus and Kotlin, the service was secured using OpenID Connect. The premise was that the service would be behind an API gateway and would be invoked by another micro service using JWTs issued by an OIDC provider. For component tests we used Keycloak as the provider, which also is a good choice for hosting your own OIDC server. We also demonstrated how Okta could be used as an external OIDC provider for issuing JWTs. In this article we will explore using Amazon Cognito.

What is Amazon Cognito

Cognito is a cloud-based identity and access management solution. It supports OAuth2 and OpenId Connect. It can be a cost-effective way to manage a large user base for your platform. It is comprised of two main components:

User Pools

A user directory in Cognito that provides all the security services that you would expect for managing users such as sign up, sign in, MFA, social login, user management, etc. Cognito will normalise any tokens received via federated login and return Cognito User Pool (CUP) tokens. These are just standardised JWTs so you don’t have to worry about the original format of each type of token.

Identity Pools

Allows access to AWS services via federated identities. Using identity pools you can obtain temporary access tokens to interact with AWS services. This is illustrated in Step 2 and Step 3 in the diagram below.

#openid-connect #security #quarkus #amazon-cognito #microservices